SELinux & apache/httpd access to /home/*/www

Stephen Smalley sds at epoch.ncsc.mil
Wed Sep 15 16:03:05 UTC 2004


On Wed, 2004-09-15 at 08:32, Cream[DONut] wrote:
> Hello,
> 
> My problem is this:
> I host some small PHP & MySQL websites for friends and family, they have 
> their VirtualHost DocumentRoot's in "/home/[name]/www" (and is working 
> fine with SELinux disabled).
> 
> I am running SELinux with SELINUX=enforcing, SELINUXTYPE=targeted.
> 
> SELinux seems to be blocking httpd from accessing /home/name/www, 
> atleast when trying to start apache it complains:
> Starting httpd: Warning: DocumentRoot [/home/xxxxxx/www] does not exist
> Warning: DocumentRoot [/home/yyyyy/www] does not exist
> [FAILED]
> 
> (The non virtualhost root in /var/www/html works fine, but if moved to 
> /home/xxxxxx/www it fails)
> 
> /etc/selinux/targeted/contexts/files/file_contexts contains:
> # apache
> /home/[^/]+/((www)|(web)|(public_html))(/.+)? 
> system_u:object_r:httpd_user_content_t
> 
> Which to me would seem to match the /home/[name]/www
> (I have tried upgrading to selinux-policy-targeted-1.17.12-1, but it 
> didnt fix the problem)
> 
> (I have the individual logfiles in /home/[name]/log, which probably 
> presents another problem.)
> 
> I dont quite understand the quirks of SELinux, so I'd certainly 
> appriciate some direction.

audit2allow -v -d will generate allow rules from the audit messages
generated by any denials, or you can inspect dmesg output or
/var/log/messages directly for lines that have "avc:  denied...".

ls -aZ /home/[name]/www will show you the current security contexts on
the directory and its files.

One possible cause would be that the filesystem type for /home doesn't
support extended attributes (e.g. NFS) and thus SELinux couldn't label
/home/[name]/www with the expected type.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the fedora-selinux-list mailing list